API key/tokens in Sonarcloud


We are planning an initiative to look into the capability of SonarCloud for our SAST and software security initiatives.
Our CI/CD pipeline will be using: CircleCi
Software languages: Java, JavaScript, Angular, Kotlin
In reference to capability of SonarCloud, does it provide a feature to scan for API keys, tokens?
For the on-premises SonarQube, there is the following SonarQube plugin which can leveraged for this feature: GitHub - Skyscanner/sonar-secrets: SonarQube plugin for identifying hardcoded secrets, such as passwords, API keys, AWS credentials, etc..

Hi @ashish2_sapra2,

There are rules that check for hard-coded credentials. For example Rules explorer


Are you allowed to add your own regex patterns? I don’t think this is as extensive as other tools for scanning for secrets. for example cloud provider keys (like azure or google etc) for service accounts should be found


Thanks for reaching out. We have in our 2021 roadmap the plan to provide a feature to find secrets and not only hard-coded credentials. Normally you should get out of the box the detection of most common secrets without the pain to provide custom regular expressions.

Apart from secrets/keys/tokens from the main cloud providers, which others would you like us to detect as a top priority?


Thanks Alex, that is great news!! This is good for now and cannot think of any additional secrets to scan for.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.